16.2.8.1. OKTA

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IDP) using SAML 2.0. The integration basically involves supplying details about SP to IDP and vice-versa. ​Once you integrate ServiceOps with an IDP, the users simply have to sign-in to IDP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ​ServiceOps supports integration with OKTA.

To configure SSO with the OKTA service, follow the below steps:

Step 1: Sign-in to the ServiceOps portal as a Technician.

Sign-In Page

Step 2: Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.

System Preference

Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown above.

Step 3: Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

SSO Configuration page

Step 4: Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, Disabled.

SSO Configurations

Step 5: Provide the following details:

Parameter Name	Parameter Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates whether the user can sign-in with a local authentication mechanism. Thus, all the users created in the system must be authenticated and allowed via SSO only or both. If enabled, the parameter Excluded Technicians will be available. By default, it is disabled.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use both (SSO and Local) login mechanisms.
IDP Entity ID	Enter the Entity ID of the IDP. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Note

1. Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.

2. The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update)

3. If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Step 6: Click Update, and a confirmation message SSO Configuration has been updated successfully will appear.

Step 7: In OKTA, navigate to Applications > Applications > Browse App Catalog > General tab, and the following page will appear:

Setting up Single Sign-On with SAML

Step 8: Edit the SAML Settings and navigate to Configure SAML tab, as shown below:

SAML Settings

Configure the following details:

• Single sign on URL

• Audience URI (SP Entity ID)

To access these details, navigate to ServiceOps Home page > Admin > Users > SSO Configuration page.

ServiceOps SAML Settings

Step 9: Open the ServiceOps Portal and sign-in using the SSO login button, as shown below:

ServiceOps Portal

Step 10: You will be redirected to the OKTA sign-in page, as shown below:

OKTA Sign-in Page

Step 11: Sign-in to OKTA, and you will be redirected to the ServiceOps portal as shown below:

Redirection from OKTA to the ServiceOps Portal

Step 12: To sign-out, click on the username and click Sign-Out.

Signing-Out from the ServiceOps Portal

You will be redirected to the OKTA page again or remain on the portal as per the configured SAML logout URL.

Step 13: To import users, click the User Import Configuration button, and a popup appears:

Import Configuration

Enter the following details:

• Enable the functionality. By default, disabled.

• SSO Provider: Select the provider of SSO functionality.

• Domain URL: Enter the domain URL of the OKTA client.

• Group Filter: Enter the Group Filter whose users you want to import from OKTA.

• Add Notification Email: Add the email address of the users who should be notified about the import.

Step 14: In the Configuration tab, configure the following parameters:

• API Key: Enter the OKTA client’s API Key (API Token). To generate the token,

1. In the OKTA client, click the menu icon, and navigate to the Security > API > Tokens tab.

Tokens Tab

2. Click Create Token button, and a popup appears.

Create Token

3. Enter a name for the token and click Create Token. A popup displaying the created token appears as shown below:

Create Token

4. Copy the token and use it in the API Key field.

Note

1. The token appears only once at the time of creation. Hence, it is recommended to save the token locally for future use.

2. Tokens are valid for 30 days from creation or last use, so the validity automatically gets refreshed with each API call. Tokens that remain unused for 30 days expire.

Step 15: In the Mapping tab, map the fields required to be imported as shown below. Custom fields should be prefixed with word profile. Example: profile.email.

Mapping Tab

Step 16: In the Schedule tab, enable the scheduler, select the schedule type, and select the date and time you want the users to be imported automatically.

Schedule Tab

Step 17: Once all the details are filled, click Save. You can also check the connectivity by clicking the Test Connection button.

Step 18: Once the connection is successful, click the Import Users button, and the imported users get added as requesters in the ServiceOps as shown below:

Users Imported from OKTA

Step 19: Here, you can also view the User Import Configuration history.

User Import History